[Samba] Problems runing kinit on a (wannabe) secondary DC

Lorenzo Milesi lorenzo.milesi at yetopen.com
Thu Jul 14 06:43:44 UTC 2022 

I've installed a DC on Ubuntu 20.04 with Samba 4.15 using Van Belle's repos.
The DC is used for LDAP auth and working fine. It hasn't been tested for Windows clients auth, yet.

I'm attempting to configure a secondary DC, on a remote VPS withe same specs as above, but I'm unable to initialize kerberos communications. On the client I get the "classic" 'Cannot contact any KDC for realm ... while getting initial credentials', while from debug I'm unable to figure out what's going bad.

Active DC: 192.168.8.1 Samba 4.15.7-Ubuntu (dc-contabo)
Secondary DC: 192.168.1.206 Samba 4.15.7-Ubuntu (dc-lan)


root at dc-lan:~# KRB5_TRACE=/dev/stdout kinit Administrator
[987] 1657780070.241479: Getting initial credentials for Administrator at WDC.DOMAIN.IT
[987] 1657780070.241481: Sending unauthenticated request
[987] 1657780070.241482: Sending request (215 bytes) to WDC.DOMAIN.IT
[987] 1657780070.241483: Resolving hostname 127.0.0.1
[987] 1657780070.241484: Sending initial UDP request to dgram 127.0.0.1:88
[987] 1657780070.241485: Resolving hostname 192.168.8.1
[987] 1657780070.241486: Sending initial UDP request to dgram 192.168.8.1:88
[987] 1657780070.241487: Received answer (329 bytes) from dgram 192.168.8.1:88
[987] 1657780070.241488: Response was not from master KDC
[987] 1657780070.241489: Received error from KDC: -1765328359/Additional pre-authentication required
[987] 1657780070.241492: Preauthenticating using KDC method data
[987] 1657780070.241493: Processing preauth types: PA-PK-AS-REQ (16), PA-PK-AS-REP_OLD (15), PA-ENC-TIMESTAMP (2), PA-ETYPE-INFO2 (
19)
[987] 1657780070.241494: Selected etype info: etype aes256-cts, salt "WDC.DOMAIN.ITAdministrator", params "\x00\x00\x10\x00"
Password for Administrator at WDC.DOMAIN.IT:
[987] 1657780077.572430: AS key obtained for encrypted timestamp: aes256-cts/3E73
[987] 1657780077.572432: Encrypted timestamp (for 1657780077.598028): plain 301AA011180F32303232303731343036323735375AA105020309200
C, encrypted E3722A947D2C51C6E1DE8168FFE8454C2C57D19A957E468926BE799D9642A98A234B23B4C2DAEFDF8B9613E5CB0A59EB94D85720C63CF9CE
[987] 1657780077.572433: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[987] 1657780077.572434: Produced preauth for next request: PA-ENC-TIMESTAMP (2)
[987] 1657780077.572435: Sending request (295 bytes) to WDC.DOMAIN.IT
[987] 1657780077.572436: Resolving hostname 127.0.0.1
[987] 1657780077.572437: Sending initial UDP request to dgram 127.0.0.1:88
[987] 1657780077.572438: Resolving hostname 192.168.8.1
[987] 1657780077.572439: Sending initial UDP request to dgram 192.168.8.1:88
[987] 1657780077.572440: Received answer (201 bytes) from dgram 192.168.8.1:88
[987] 1657780077.572441: Response was not from master KDC
[987] 1657780077.572442: Received error from KDC: -1765328332/Response too big for UDP, retry with TCP
[987] 1657780077.572443: Request or response is too big for UDP; retrying with TCP
[987] 1657780077.572444: Sending request (295 bytes) to WDC.DOMAIN.IT (tcp only)
[987] 1657780077.572445: Resolving hostname 127.0.0.1
[987] 1657780077.572446: Initiating TCP connection to stream 127.0.0.1:88
[987] 1657780077.572447: Terminating TCP connection to stream 127.0.0.1:88
[987] 1657780077.572448: Resolving hostname 192.168.8.1
[987] 1657780077.572449: Initiating TCP connection to stream 192.168.8.1:88
[987] 1657780077.572450: Sending TCP request to stream 192.168.8.1:88
[987] 1657780101.669482: Terminating TCP connection to stream 192.168.8.1:88
kinit: Cannot contact any KDC for realm 'WDC.DOMAIN.IT' while getting initial credentials

On the primary, log.samba:
[2022/07/14 08:27:57.595905,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 08:27:57.595895 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.1.206:53256] became [DOMAIN]\[Administrator] [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
  {"timestamp": "2022-07-14T08:27:57.596084+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "d6850b4b1d4f33d4", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:53256", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "Administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount": "Administrator", "becameDomain": "DOMAIN", "becameSid": "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount": "Administrator", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 4066}}
[2022/07/14 08:27:57.663338,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [Kerberos KDC,ENC-TS Pre-authentication] user [(null)]\[Administrator at WDC.DOMAIN.IT] at [Thu, 14 Jul 2022 08:27:57.663328 CEST] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote host [ipv4:192.168.1.206:37690] became [DOMAIN]\[Administrator] [S-1-5-21-29876631-4178411864-4110581247-500]. local host [NULL]
  {"timestamp": "2022-07-14T08:27:57.663603+0200", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4624, "logonId": "4f496ebd9a181770", "logonType": 3, "status": "NT_STATUS_OK", "localAddress": null, "remoteAddress": "ipv4:192.168.1.206:37690", "serviceDescription": "Kerberos KDC", "authDescription": "ENC-TS Pre-authentication", "clientDomain": null, "clientAccount": "Administrator at WDC.DOMAIN.IT", "workstation": null, "becameAccount": "Administrator", "becameDomain": "DOMAIN", "becameSid": "S-1-5-21-29876631-4178411864-4110581247-500", "mappedAccount": "Administrator", "mappedDomain": "DOMAIN", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "aes256-cts-hmac-sha1-96", "duration": 4787}}


Primary smb.conf:
# Global parameters
[global]
        dns forwarder = 1.1.1.1
        netbios name = DC-CONTABO
        realm = WDC.DOMAIN.IT
        server role = active directory domain controller
        workgroup = DOMAIN
        allow dns updates = disabled
        interfaces = eth1
        bind interfaces only = yes
        server services = -dns
        log level = 1 auth_audit:3 auth_json_audit:3 kerberos:10
        tls enabled  = yes
        tls keyfile  = tls/key.pem
        tls certfile = tls/cert.pem
        tls cafile   = tls/ca.pem

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/wdc.domain.it/scripts
        read only = No

Secondary smb.conf is yet to be created.

Primary /etc/krb5.conf:
[libdefaults]
        default_realm = WDC.DOMAIN.IT
        dns_lookup_kdc = true
        dns_lookup_realm = false

Secondary /etc/krb5.conf:
[libdefaults]
        default_realm = WDC.DOMAIN.IT
        dns_lookup_kdc = false
        dns_lookup_realm = false
[realms]
        WDC.DOMAIN.IT = {
                kdc = 127.0.0.1
                kdc = 192.168.8.1
        }

Thanks
-- 
Lorenzo Milesi - lorenzo.milesi at yetopen.com 
CTO @ YetOpen Srl
YetOpen - https://www.yetopen.com/

Corso Martiri della Liberazione 114 - 23900 Lecco - ITALY - | 4801 Glenwood Avenue - Suite 200 - Raleigh, NC 27612 - USA -
Tel +39 0341 220 205 - info.it at yetopen.com  | Phone +1 919-817-8106 - info.us at yetopen.com

Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary

-------- D.Lgs. 196/2003 e GDPR 679/2016 --------
Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario.
Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini
del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata.
Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile.
Grazie.

Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information;
pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution
is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible.
Thank you.

More information about the samba mailing list